YiSpecter, as the malware was named, has mostly affected users in China and Taiwan through four different methods. Users can be infected with the malware with the help of the Lingdun worm. This work which works via the QQ social network and its file sharing interface, can target a wide variety of device types. Malicious HTML files with pornographic names are uploaded by the worm, which are then shared with other users in the network. When a user accesses these files, the page identifies that the user is using an iOS device to access these pages and serve a version of the YiSpectre adware.
Internet traffic and DNS hijacking is the second method of infection. This occurs when local ISPs have their servers infected by attackers, which then utilize it to show popups for an iOS app that comes coupled with YiSpectre. It ends up being a successful infection, once the app is downloaded and installed. Only when the Web was browsed from a home Wi-Fi network did these popups appear. However, the popups did not show up when a proxied browser was used. Only a complaint to the ISP can help make the popup disappear. The third method of infection is by offline app installation. As with the first method, the attackers create a malicious app that they promote as the QVOD Player version 5. The Chinese authorities had shut down QVOD, which is a discontinued mobile video player for adult content. This infection method depends on users downloading the app from iOS app portals and manually installing it. In addition, there are also claims from Palo Alto that some maintenance suppliers and phone retailers will also install malicious malware for cash. Public promotion of the app (modified QVOD Player) basically done on mobile and underground forums is the last method of infection noticed by researchers. Users are generally redirected to unauthorized iOS app portals (third method) in this method and is used to get more users who in the first place may not have been usually exposed to the app. YiSpectre can affect both jailbroken and non-jailbroken devices with the help of four components, all signed with enterprise certificates. These components allow the malware to bypass various Apple’s built-in security protocols, by abusing private APIs, downloading each other, and passing as one or another legitimate component at various stages of the infection. Palo Alto Networks says YiSpecter can attack jailbroken and non-jailbroken iOS devices by misusing private APIs to allow its four components (which are signed with enterprise certificates) to download and install each other from a centralized server, and at various stages of the infection pass as one or another legitimate component. The malware will then remove three of the four icons added by these components once the infection stage is complete, and hide the last icon as one of Apple’s system apps. Once it’s on the user’s phone, WiSpectre starts downloading, installing, and launching other arbitrary iOS apps, substituting legitimate apps, and even hijacking existing apps, showing ad interstitials every time they are started. The malware can also modify Safari’s default search engine, change its bookmarks, alter pages that are currently opened, and report on the phone details and user’s activity to a C&C server. The malware was first noticed in November 2014, according to Palo Alto researchers. The malware has been infecting iOS devices for over 10 months. Currently, it is being detected by only one of VirusTotal’s AV engines, Chinese antivirus company Qihoo, which had also reported on it back in February 2015. Three of the four components used by YiSpectre to infect devices are signed by certificates issued to YingMob Interactive, a Chinese mobile advertising platform, pointed out the same Palo Alto researchers. The malware that has used some of the IP addresses also refer to a few YingMob servers. Further, the company also developed an app called HaoYi Apple Helper, which by chance or not, is the name of the user that’s been posting promotional messages for the infected QVOD Player on underground forums (for reference, see fourth method of infection). However, the name of the app was later changed to Fengniao Helper, which states to help users install paid iOS apps from the Apple Store for free. Similar to the functionality of the iOS Trojan KeyRaider, a malware that steals Apple account credentials and then utilizes them to steal paid apps from the official store and install them on jailbroken devices for free, says Palo Alto. Apple have been informed regarding the threat by Palo Alto and Apple will start canceling the certificates used to install YiSpectre’s four components. Last month, another malware called XcodeGhost infected almost 40 popular apps in the Chinese App Store, which is very uncommon because Apple first subjects apps to strict security. In spite of the unique nature of both malware, Palo Alto Networks says there is no evidence that XcodeGhost and YiSpecter are related. Palo Alto Networks’ blog post has more information on YiSpecter, as well as detailed steps for removing it from devices.